Support for DirectAccess

Contents

Support for DirectAccess

Overview

Microsoft DirectAccess is a technology that provides remote connectivity to devices equipped with Windows 7 and higher operating systems. Similar in concept to a traditional virtual private network (VPN), DirectAccess allows users to securely access network resources inside the intranet of their organization when connected to the Internet. Unlike traditional VPN connections, which usually require explicit user action to be initiated and terminated, DirectAccess is transparent to the end user and automatically connects to the intranet of the company when needed.

DirectAccess relies on clients and applications that support the IPv6 stack. It encapsulates the traffic to route it through the Internet and, once it reaches the intranet, a companion technology transforms the IPv6 addresses into IPv4 if needed; that is, if the intranet uses IPv4 internally, which is usually the case.

Impact on Nexthink

Since DirectAccess requires client applications to use IPv6, three Nexthink products are impacted when a set of devices in your organization connect to the corporate network via DirectAccess: the Collector, the Engine, and the Finder.

Collector

The Collector must be able to send information to the Engine from devices that connect to the intranet of their organization through DirectAccess. Therefore, the Collector must use IPv6 to send its information. In addition, the Collector must be able to capture network information of those applications running on devices connected through DirectAccess, which also use the IPv6 stack.

When installing the Collector in a DirectAccess environment, check the option Prefer IPv6 when running the Collector installer, or the MSI parameter DRV_PREFERIPV6, for the Collector to use IPv6 rather than IPv4 to send information. You can equally modify the value of this setting when the Collector is already installed with the help of the Collector configuration tool by adjusting the value of the parameter prefer_ipv6.

Engine

The Engine must be able to detect Collector traffic coming from DirectAccess and translate the received IPv6 addresses to their IPv4 counterparts within the intranet. To identify Collector traffic, the Engine needs to know the IPv6 subnetwork used by DirectAccess.

By default, the Engine identifies and translates IPv6 addresses in the subnet fda9:11e5:84fa::/48. If you use a different subnetwork, configure the Engine as in the following example, substituting the DirectAccess prefix given for your own:

  1. Stop the Engine
    sudo systemctl stop [email protected]
  2. Configure the IPv6 subnet:
    sudo nxinfo config -s "direct_access.prefix=fda9:11e5:84fa::/48"
  3. Restart the Engine
    sudo systemctl start [email protected]

Finder

The Finder must be able to connect to both the Portal and the Engine even when run from a device connected to the corporate network via DirectAccess. In the case of the Finder, no additional configuration is needed, but you must use DNS names in the login dialog to resolve the address of the Portal, because the dialog does not support IPv6 addresses.